Botnets Churn Spam, Then Back Again

Experts with Gartner tabbed botnet infrastructure as the primary delivery model for malware in years to come while presenting their research conclusions at the company's ongoing Information Security Summit today.

That's likely no surprise to anyone who has been watching the major threat trends lately, as attacks including Gumblar and Conficker have ripped their way across huge swaths of endpoints worldwide propelled forward by advanced botnet propagation techniques.

There's also been plenty of evidence that the botnet-spam-malware trifecta has all the signs of spinning even further out of control as seemingly no one has been able to successfully engineer a manner to interrupt the vicious cycle that allows the whole ecosystem to continue to inject new life into itself.

According to a wide range of recent reports, spam levels have been back on the upswing in a major way. In a related study, researchers with MessageLabs have released new figures that highlight the accelerant nature that botnets and spam continue to have on each other -- while both are being used to visit attacks upon end users unlucky enough to get drawn into their midst.

MessageLabs, a division of Symantec, reported that spam levels are currently surpassing some 90 percent of all e-mail worldwide. And the engine behind the spam surge is botnet infrastructure, of course, the company said. In total, botnets account for 80 percent of all spam, the research contends.

One of the biggest factors enabling the whole phenomenon is the ease with which today's botnet masters have been able to engineer or get their hands on programs allowing them to game the CAPTCHA controls used by webmail providers designed precisely to prevent such abuse from taking place.

"Botnets not only send spam directly, but also control the sending of spam through webmail accounts in such a way as to make it appear as though there is a real person behind the use of each webmail account. Many such webmail accounts are set up automatically using CAPTCHA-breaking tools to bypass the visual puzzles found on the signup pages of websites," MessageLabs experts said in a report summary.

Among the biggest botnets tapping into the power of spam are well-known names including Cutwail, Mega-D, Xarvester and Donbot. Other botnets including Grum and Rumstock have ridden the spam fueling model to a less predictable extent, the company reported.

Cutwail remains the primary culprit at present, accounting for 46 percent of all spam, and controlling between 1.5 and 2 million active bots. The zombie network, perhaps once the world's largest, has undergone a recent dip in activity at the hands of the shutdown of shady ISP Pricewert, but has not been undone altogether, MessageLabs said.

Mega-D was the largest botnet at the beginning of 2009, but has been on the decline and now generates only 9.3 percent of all spam. Yet the network is still one of the fastest to propagate self-feeding spambots, the firm contends.

Xarvester and Donbot remain top tier botnets in terms of size but are producing under 5 percent of all spam respectively.

And while Grum and Rumstock combine for roughly 10 percent of all spam, they wax and wane through unpredictable ups and downs in activity, according to the report.

Botnets make spambots that begat malware that creates more spambots used to deliver malware that carries botnet payloads.

In that sense it's not so much a game of cat-and-mouse in this arena as much as it is a match of chasing one's own tail.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.